Skype's Twitter account compromised by Syrian Electronic Army

It would appear that 2014 is starting off on a sour note for the folks in Microsoft's social media team.

The Syrian Electronic Army (SEA) appears to have compromised Skype's Twitter account. Skype was acquired by Microsoft in 2011.

There is evidence to suggest the attackers were able to gain access to Skype's Facebook and WordPress blogs as well, likely indicating either shared passwords or perhaps compromise of Skype employees' email accounts.

This isn't entirely surprising as the FBI had issued a warning on Christmas Eve to media organizations about a new wave of phishing attacks associated with the infamous SEA.

Skype has more than three million followers on Twitter, which indicates that, had the attackers wanted to send out malicious links or other dangerous content, this could have been a whole lot worse.

What I would like to know is why on earth a company social media profile with over three million followers would not be using two-factor authentication.

Earlier this year Twitter rolled out an improved two-factor solution seemingly in response to previous attacks by the SEA.

WordPress offers two-factor authentication and Facebook has supported two-factor authentication for a couple of years now, all in an attempt to prevent this exact type of attack.

Microsoft, would you care to explain why you apparently are not using it?

I believe it is the responsibility of organizations with a large number of followers to do whatever they can to secure their profiles.

I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you.

For me it only works when alternative delivery methods are offered. Like my bank offers an in the moment choice between a voice (to mobile or land line), a text and an email message with a security code. Since my mobile phone doesn't work most of the time, due to where I live, a 2-factor solution doesn't work for me if the only option available is a text message.

I've had similar issues with receiving texts. Most services offer an app (Twitter, Facebook), Google Authenticator (avail on Android, Blackberry, iOS) or SMS. Some will call you if the SMS isn't working (Facebook, Google).

Off topic: If you have poor cell reception but good broadband Internet where you live, talk to your carrier about getting a microcell/femptocell. It uses your broadband connection to talk to the carrier and provides a local cell tower for your devices.

"What I would like to know is why on earth a company social media profile with over three million followers would not be using two-factor authentication." Because it is a marketing account maintained by several people?

To this day, Microsoft does not offer 2 factor authentication (2FA) for its Web-based Hotmail (now called Outlook) email program.

[Post edited for length]

Now, then. Sophos, I have two questions for you:

1. What in addition to 2FA can non-psychopaths use to try to protect themselves against psychopaths?

2. Which is the safest (read: the least interceptable) way to receive 2FA codes? How easily can hackers intercept 2FA codes when they are sent to cell phones or smart phones? Are they safer when sent to offline cell phones than to online smartphones or is there no appreciable difference? Finally, how easily can hackers intercept 2FA codes when they are sent to landline phones? Your recommendations?

* Choose a hard-to-guess regular password.
* Use a different password for each online account.
* Use a decent anti-virus to increase your resilience to password keylogging.

The two main ways for two step verification are [1] via SMS (great if you have reliable mobile service and you don't browse on the same device on which you receive the SMSes) [2] a separate authenticator app on a mobile device (can work offline, and great if you don't browse on the same device as you run the authenticator app).

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.